Welcome, Guest ( Customer Panel | Login )

CAs Are Revoking Noncompliant SSL Certificates

Tuesday, March 26, 2019

 

In the past few weeks, the cybersecurity industry has been debating whether or not there is a need to add a new root certificate. In an attempt to find a technical reason to disqualify this new root request, a researcher inadvertently turned up a misconfiguration in the EJBCA CA tool that many other CAs use to generate serial numbers. This report revealed that over 1.2 million TLS certificates have been misissued by major certificate authorities. The problem, as explained by the Researcher and a group of other people was that TLS certificate serial numbers need to be positive integers. To deal with this issue, EJBCA would have to sacrifice one of the serial numbers' bits --which would always be zero-- to make sure the serial number would be a positive integer and, hence, be standards compliant.

However, by doing this, those 64-bit serial number would effectively be a 63-bit serial number, thereby reducing the protection that this serial number that ought to be provided to the TLS certificate against collision attacks (especially when attackers (Hackers) try to create forged TLS certificates with identical signatures.

 

The Effects?

Certificate Authorities operators (Like Apple, Google, GoDaddy, and other smaller operators that used the EJBCA software platform to generate serial numbers with the minimum 64-bit value are really affected while those CAs that generated 72-bit or other larger values for the serial numbers are not. This mass mis-issuance has seen organizations across the globe scrambling to find and replace these impacted certificates within the 5-day window that CAs has to revoke all non-compliant certificates, as required by industry rules. While this problem does not pose a direct security threat to internet users today. However, it may lead to a large number of broken sites in the weeks to come as SSL certificates have to be replaced on the fly.

 

The Good News

For our esteemed customers on VP-CART Comodo SSL Certificates, there is absolutely no cause for alarm as our VP-Cart Comodo SSL Certificate totally has you covered. The VP-CART Comodo SSL Cert. enables you and your customers to complete transactions with the assurance that no one else can read or change information as it travels over the Internet. Which improves the customers’ confidence for your store and in turn increases the visitor conversion rate, lowers cart abandonment and an increase in average the average revenue.

So if you currently have a non-compliant SSL certificate from any of the affected CA operators and you need to immediately re-issue or replace that SSL certificate, look no further than our VP-Cart Comodo SSL Certificate

 

Why VP-CART SSL?

 

THE VP-CART Comodo Advantage?

  • Assurance that information is kept private while being transmitted
  • Assurance that data sent and received cannot be tampered with or forged
  • Compliance with payment gateway security requirements, SOX, HIPAA and others

Why VP-Cart and Comodo should be your Assurance & Compliance provider?

  • The Comodo logo gives your customers real-time site identity assurance
  • The speed of issuance for identity verified SSL certificates is often within 30 minutes or less
  • One of the lowest cost providers of all leading Certificate Authorities

 

Let me put it this way, digital Certificates are very important for online security purposes, but even more critical for security compliance especially for data sensitive sectors like the e-commerce industry. There are strict standards across a number of industries that require organizations to encrypt and secure communications, sign documents and the encryption of important files/emails, payment, etc.

To accomplish this, you need your digital certificates – most especially the publicly trusted ones – to be industry compliant. Trust us when we say it pays to be compliant. Sign Up with us Today

 

 

 

References

https://comodosslstore.com/blog/comodo-ca-ssl-tls-certificates-are-fully-compliant-with-64-bit-serial-numbers.html?utm_source=ComodoSSLStore.com+Newsletter&utm_campaign=7baa304d52-Newsletter_Mar19&utm_medium=email&utm_term=0_4789386462-7baa304d52-91717881&mc_cid=7baa304d52&mc_eid=07e81d215e

https://dhdesign.be/misconfiguration-discovered-in-over-a-million-non-compliant-ssl-certificates-issued-by-google-godaddy-apple-and-other-certificate-authorities/

https://www.zdnet.com/article/apple-google-godaddy-misissued-tls-certificates-with-weak-serial-numbers/

https://securityboulevard.com/2019/03/google-apple-godaddy-mis-issue-over-1-million-faulty-certificates/

https://www.ejbca.org/



addthis

Comments

Leave a comment
*Please enter the code shown into the box below

0 Item(s)
$0.00